Ivanti has confirmed active exploitation of CVE-2026-6973, a critical vulnerability in Endpoint Manager Mobile (EPMM). It allows unauthenticated remote attackers to execute arbitrary code with administrator privileges. The flaw resides in the product's web interface and requires no user interaction, exposing entire servers to full compromise without the need for credentials.
Technical details of the remote execution flaw 🔥
The CVE-2026-6973 vulnerability affects specific components of the EPMM web interface. An attacker can send malicious HTTP requests to trigger arbitrary code execution on the server. By gaining administrator-level access, they can modify configurations, extract sensitive data, or deploy malicious payloads. Ivanti recommends applying immediate security updates and reviewing logs for suspicious activity.
The patch is coming, but the party has already started 🎉
Ivanti informs us that the patch is on its way, which is great if you have patience to spare and a compromised production server. Meanwhile, unauthenticated attackers can stroll through your EPMM as if it were their home, without needing keys. Perhaps we should ask whether the admin who configured this left the door wide open or if it was a design flaw.